We recently wrote about a decision in Attias v. CareFirst, Inc., holding that a class of plaintiffs whose information was compromised in a cyberattack had sufficiently demonstrated standing to survive a motion to dismiss. The U.S. Court of Appeals for the Ninth Circuit now has added to the toolbox for plaintiffs in cyber cases whose standing is challenged.

In Robins v. Spokeo, which the Ninth Circuit heard on remand from the U.S. Supreme Court, the issue was whether the plaintiff —who alleged that an inaccurate report about him on Spokeo’s consumer reporting web site constituted willful violations of the Fair Credit Reporting Act — had alleged a sufficiently “real” injury to meet the elements necessary for Article III standing.

The district court dismissed the complaint, holding that the plaintiff’s allegation of a bare violation of the statute did not show that he had suffered an injury-in-fact. The Ninth Circuit reversed in Spokeo I, holding that by alleging a violation of his statutory rights, the plaintiff had alleged a concrete and particularized injury. The U.S. Supreme Court granted certiorari and vacated that opinion, holding that the Ninth Circuit’s analysis had been incomplete, and remanded for further consideration of whether the injury was sufficiently concrete to support standing.

Specifically, the court considered “the extent to which violation of a statutory right can itself establish an injury sufficiently concrete for the purposes of Article III standing.” While the FCRA provides an individual right to sue for violations of the statute, the Supreme Court made clear that such a right does not satisfy the injury-in-fact requirement for Article III standing per se.

Rather, “even when a statute has allegedly been violated, Article III requires such violation to have caused some real — as opposed to purely legal — harm to the plaintiff.” Congress’s decision to provide a right of action is instructive, however, in cases in which the harm alleged is intangible, the Supreme Court noted in kicking the case back to the Ninth Circuit. And some statutory violations are enough on their face to demonstrate concrete harm. Thus, the Ninth Circuit faced two questions: “(1) whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete rights (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually had, or present a material risk to, such interests.”

The court had “little difficulty” concluding that consumers have a concrete interest in accurate credit reporting about themselves, noting that “given the ubiquity and importance of consumer reports in modern life … the real-world implications of material inaccuracies in those reports seem patent on their face.” Further, “the interests that FCRA protects also resemble other reputational and privacy interests that have long been protected by the law.”

Turning to the second question, the court distinguished between a violation of the statute that did not result in the creation or dissemination of an inaccurate consumer report and a violation like the one at hand, which did result in dissemination of inaccurate information about the plaintiff. The latter category can support standing, if the nature of the inaccurate disclosure is such that it creates a real risk of harm. The Ninth Circuit determined that the inaccuracies at issue — which related to the plaintiff’s age, marital status, educational background, and employment history — are “the type that may be important to employers or others making use of the consumer report” and do not constitute insignificant technical statutory violations. Further, the court held, the injury was not speculative, because it had already occurred. “It is of no consequence how likely Robins is to suffer additional concrete harm” (emphasis in original).

Thus, the Ninth Circuit sent the case back to the district court for trial, paving the way for future FCRA plaintiffs whose standing to sue is called into question.

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.

Disclaimer
This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.